APM - urls in the email are accessible when I launched though OWA session using access policies

Hi,

You configured the APM in VPN SSL mode instead of LTM+APM mode.

you need to :

• configure the VS with

   

  • default pool Exchange server
  • http profile
  • Access policy
  • SNAT automap if needed

• configure the access policy with :

   

  • SSO auth with external URL instead of internal URL (in OWA Form template)
  • Logon -> Auth -> Query -> SSO Credential mapping -> Allow

in this configuration, APM will not rewrite any URL...

thanks for the quick response. Don't we have other way to get this done ? We don't care about the url redirection, but client doesn't want to the url to be opened when he opens it from OWA session. I have seen similar setup where for the same url in the email, we get a error page 'You do not have permission to access this page' though the redirected url still reads the same ' https://mail.domain.com/f5-w1232346453429$$/home/init.jsp' All I want is to ensure that the internal server page is not accessed when client uses OWA on APM session.

thanks

You can configure your rewrite profile to be split tunnel. Enter the URLs you want rewritten in the rewrite list and anything not in that list should not be rewritten.

Hi,

• VPN SSL mode (with webtop, portal access, rewrite) is to publish multiple ressources behind one public hostname (ssl.domain.com). this deployment use APM CCU Licence and APM Session licence.
• LTM+APM mode (as described in the previous answer) is to add authentication on top of a virtual server. this deployment does not use APM CCU Licence but APM Session licence.

rewrite portal profile use an old (very very old) process from firepass which cause lots of rewriting issues. rewrite split tunneling as proposed by Seth is more complex to configure.

Exchange does not need to rewrite URL. As the OWA is deployed with dans name mail.company.com, I think OWA is the only application published by the Access policy.

so LTM+APM mode :

• is easier to configure
• is more efficient because there is no need to check response page to replace internal URL by https://mail.domain.com/f5-w1232346453429$$/home/init.jsp
• is dedicated for publishing one web ressource which doesn't need rewrite
• is licence free except APM base licence (APM base licence add Max appliance session licence).
• allow to publish Outlook Anywhere, ActiveSync, EWS, OAB with exchange profile

You can configure both modes but i recommend to use LTM+APM mode...

Hi.. Its a LTM + APM mode setup. But I'm able to access of the urls in my mailbox when I open my mail over access policies with OWA.

email is launched using the VIP configured in the APM on which a access policy for OWA access was setup. Client is able to authenticate and launch his resources - his mail box. If there are any urls in his email, he is able to access them too.

Lets say the OWA VIP is if there is any url in the outlook - lets say https://myinternalserver.mydomain.com/home/init.jsp and if the client is clicks on it, he is able to access the url through APM default route. When client clicks on the url, a new tab opens and url will be as https://mail.domain.com/f5-w1232346453429$$/home/init.jsp which means that APM is trying to open a connection to internal servers using a default route or some vlan configured in the APM. Ideally this shouldn't be the case, user should be prompted with a error page showing as 'You do not have permission to access this page.' Can someone suggest how to block this url redirection or accessibility.

Here is the VIP and the access policy configuration.

VIP:: ltm virtual exch-cas-https { destination 200.200.200.20:https ip-protocol tcp mask 255.255.255.255 persist { exch_owa_cookie { default yes } } profiles { Exchange-OWA-Rewrite { } Exchange-OWA-app { } connectivity-for-upgrade { context clientside } exch_owa_https { context clientside } http { } ppp { } serverssl { context serverside } tcp-lan-optimized { context serverside } tcp-wan-optimized { context clientside } websso { } } rules { Exchange_OWA_cookie_add prepend LogoffWorkaround } source 0.0.0.0/0 source-address-translation { type automap } vs-index 7

Here are the screenshot of the Access-policy configured on the APM.

I have tried to allow only those internal hosts which are required in the ACL and there is a deny statement which blocks access to rest of my resources. And this ACL is applied in the resources assignment tab.

To my understanding, with the above config, it should be block anything else from my APM. The issue is, if there is any URL (url to access any of my internal services like sharepoint in my emails ) I'm able to access the internal resources though my ACL has a deny. I'm able to access the internal sharepoint sites if the url is present in my emails.